New Round in Privacy Fight Between Dutch Railways and Passenger

A train passenger has submitted an enforcement request to the Dutch Data Protection Authority, because he argues that Dutch Railways (NS) violates the privacy of train passengers.

In response to three new attempts by Dutch Railways (NS) to violate the privacy of train passengers, NS customer Michiel Jonker has submitted a request for enforcement to the Dutch Data Protection Authority (DPA). It concerns:

  • Rejecting the reimbursement of the remaining balance on anonymous public transport chip cards if the holder does not provide his or her name and address data to NS;
  • Refusing international train tickets by NS employees at station desks if buyers do not provide their name and address data to NS;
  • Charging, since 2 July 2018, additional "service costs" when holders of anonymous public transport chip cards pay in cash for topping up the balance on these cards.

Since July 2014, NS has already launched attacks on the privacy of Dutch train passengers in various ways. It then concerned:

  • Discriminating holders of anonymous public transport chip cards in discount hours;
  • Requiring de-anonymization of the anonymous public transport chip cards when NS is asked to provide services (for example, reimbursing money in the event of delays);
  • Applying two unique card numbers on each anonymous OV chip card, as a result of which the anonymity of these cards is affected.

As a traveler who wants to maintain his privacy, Jonker repeatedly asked the DPA to investigate these violations and to take enforcement measures. Jonker already won several lawsuits against the DPA, which initially refused to even investigate the reports.

The recently adopted General Data Protection Regulation (GDPR) will play an important role in the assessment of the new violations by NS. Another central issue will be the right to pay by cash, which protects privacy.

Jonker: "In all these matters, the question is whether users of Dutch public transport are entitled to a real, effective protection of their privacy. This question is more relevant than ever, when you see how people are treated in situations where privacy is not adequately protected. We don't only think about China with its Social Credit score, or the United States with their "No Fly" lists, but also about European countries where laws have been adopted in recent years that allow the government to spy on travelers who are not even suspected of any punishable or risky behavior. For example France with its permanent state of emergency and the Netherlands with its new Intelligence and Security Act."

In this new case as well, Jonker is supported by Privacy First and Maatschappij voor Beter OV.